7 pws - password store management
11 *pws* 'COMMAND' ['OPTIONS']
16 The pws tool allows you to store passwords (or anything else, really) in
17 a set of encrypted files. Each file can be encrypted to a different set
18 of users. pws helps you with the bookkeeping of which keys to encrypt
19 each file to and provides a convinient wrapper to edit protected files.
24 First you need a file where your users and group are defined in. This
25 file is named .users. Lines consist of assignments of the form
26 <username> = <keyfingerprint>
28 @<groupname> = <username>|@<groupname> [, [<username>|@<groupname> ...]
30 Lines starting with a # are comments and thus get ignored.
32 --------------------------------
35 # This file needs to be gpg signed by a key whose fingerprint
36 # is listed in ~/.pws-trusted-users
38 formorer = 6E3966C1E1D15DB973D05B491E45F8CA9DE23B16
39 weasel = 25FC1614B8F87B52FF2F99B962AF4031C82E0039
40 @admins = formorer, weasel
42 zobel = 6B1856428E41EC893D5DBDBB53B1AC6DB11B627B
43 maxx = 30DC1D281D7932F55E673ABB28EEB35A3E8DCCC0
46 @all = @admins, @vienna
48 # gpg --clear .users && mv .users.asc .users
49 --------------------------------
51 The .users file is designed to live in a SCM repository, such as git,
52 alongside all the other encrypted files. In order to prevent
53 unauthorized tampering with the .users file - for tricking somebody to
54 re-encrypt data to the wrong key - the .users file needs to be
55 PGP-clearsigned with a key from a whitelist.
57 This whitelist lives in ~/.pws-trusted-users, and simply takes one
58 key fingerprint per line:
60 ---------------------------------
61 # cat ~/.pws-trusted-users
64 6E3966C1E1D15DB973D05B491E45F8CA9DE23B16
65 ---------------------------------
67 Currently this whitelist is the same for any pws repositories a user
68 might have. A patch to remove this limitation would be nice.
74 -----------------------------
76 -----------------------------
81 Every file needs a header like:
83 ------------------------------
85 ------------------------------
87 You can edit the encrypted file with the pws tool: +pwd ed file+.
92 If available as .keyring pws instructs GnuPG to use this keyring in
93 addition to the user's default keyrings. This allows sharing of the
94 keyring in the repository. Use +pws update-keyring+ to
95 update/initialize this keyring.
100 Peter Palfrader <peter@palfrader.org>